Troy McClure:Thanks for sharing this with other potential skimmer scammers.

Because if it were not for news stories criminals would have no other way to share information right? None at all. It is good for people to know how authentic these devices look, maybe it will cause a few people to be observant and alert authorities, or some people may decide to pay inside or pay with cash which as are also good. But know we shouldn't share this information because the criminals may use this information which they had absolutely no way of sharing information before, none at all.

OldRod:Would be nice if the article told people how to spot one ... or is there no way to spot it?

I live in Kansas... if these guys move north, I want to be on the lookout :)

These are tougher than typical skimmers, which require some sort of install over an existing card reader. I always jiggle the reader a bit just to check if it's loose, but since you don't have a PIN to steal with a credit card, the usual protection of covering your input doesn't work.

Basically, just always check your credit card statements. You've got a lot more protections on unauthorized charges on CCs than on debits.

I really don't understand how they cant fit these things with private key authentication or something. All of them talk to a server. Whenever the power goes out, or voltage is interrupted during a swap, can't the whole reader mechanism just go dead and have to be re-authenticated against the known hardware signature of the unit?

Cuyose:I really don't understand how they cant fit these things with private key authentication or something. All of them talk to a server. Whenever the power goes out, or voltage is interrupted during a swap, can't the whole reader mechanism just go dead and have to be re-authenticated against the known hardware signature of the unit?

Yeah, and it's also possible that the pumps wouldn't share a handful of different standard keylocks. But here we are.

I don't know what others are doing, but QuikTrip has taken to getting their own security seals and putting them across the access panels of the pump. I don't know what their protocol is for checking them, but that provides evidence of tampering. How many are picked at and peeled away by people just filling their tanks is another question.

M-G:Yeah, and it's also possible that the pumps wouldn't share a handful of different standard keylocks. But here we are.

I don't know what others are doing, but QuikTrip has taken to getting their own security seals and putting them across the access panels of the pump. I don't know what their protocol is for checking them, but that provides evidence of tampering. How many are picked at and peeled away by people just filling their tanks is another question.

because if somebody is willing to craft a credit card skimmer that looks exactly like the stock card reader, they would never have the ability to simply make counterfeit "security seals", right?

/There is really no way to stop someone who is educated and determined enough

Alonjar:M-G: Yeah, and it's also possible that the pumps wouldn't share a handful of different standard keylocks. But here we are.

I don't know what others are doing, but QuikTrip has taken to getting their own security seals and putting them across the access panels of the pump. I don't know what their protocol is for checking them, but that provides evidence of tampering. How many are picked at and peeled away by people just filling their tanks is another question.

because if somebody is willing to craft a credit card skimmer that looks exactly like the stock card reader, they would never have the ability to simply make counterfeit "security seals", right?

/There is really no way to stop someone who is educated and determined enough

Cuyose:I really don't understand how they cant fit these things with private key authentication or something. All of them talk to a server. Whenever the power goes out, or voltage is interrupted during a swap, can't the whole reader mechanism just go dead and have to be re-authenticated against the known hardware signature of the unit?

The skimmers usually do not actually replace the electronics at the pump, they simply grab the info also. There is no need to connect into the hardware of the pump, thus any attempt to create a hardware signature would be pointless.

Cuyose:I really don't understand how they cant fit these things with private key authentication or something. All of them talk to a server. Whenever the power goes out, or voltage is interrupted during a swap, can't the whole reader mechanism just go dead and have to be re-authenticated against the known hardware signature of the unit?

Are you talking about the cards or the readers? Authenticating the readers to the backend doesn't help much. They'd just skim the physical card with a second sensor or something. All they're after is the data on the card's magstripe. The reader's just bait to get you to swipe your card through their device.

If they were serious about stopping this sort of stuff, they'd do away with dumb plastic cards and start using something more like RSA tokens.

In this day of age, who uses cash? Depending on your area, you may be more likely to get robbed than skimmed

Spend a few minutes in your local gas station and you'll see there are plenty. The gas station is my only local source for Mountain Dew Throwback and there are plenty of people getting gas, usually with just a 20, sometimes less. And some chains like Swifty give you a cash discount. Not really one close enough to my driving habits to make much good of that though.

Alonjar:because if somebody is willing to craft a credit card skimmer that looks exactly like the stock card reader, they would never have the ability to simply make counterfeit "security seals", right?

The security seals are serialized, so if they verify those numbers, it would still be detected.

ProfessorOhki:Cuyose: I really don't understand how they cant fit these things with private key authentication or something. All of them talk to a server. Whenever the power goes out, or voltage is interrupted during a swap, can't the whole reader mechanism just go dead and have to be re-authenticated against the known hardware signature of the unit?

Are you talking about the cards or the readers? Authenticating the readers to the backend doesn't help much. They'd just skim the physical card with a second sensor or something. All they're after is the data on the card's magstripe. The reader's just bait to get you to swipe your card through their device.

If they were serious about stopping this sort of stuff, they'd do away with dumb plastic cards and start using something more like RSA tokens.

The Europeans have been using "chip-and-pin" (EMV) for years. Visa and MasterCard have told American retailers to get on board with EMV by October 2015 (except for "pay and pump", which has to accept EMV by 2017) as they will no longer cover fraudulent charges with mag stripe transactions.

dustman81:ProfessorOhki: Cuyose: I really don't understand how they cant fit these things with private key authentication or something. All of them talk to a server. Whenever the power goes out, or voltage is interrupted during a swap, can't the whole reader mechanism just go dead and have to be re-authenticated against the known hardware signature of the unit?

Are you talking about the cards or the readers? Authenticating the readers to the backend doesn't help much. They'd just skim the physical card with a second sensor or something. All they're after is the data on the card's magstripe. The reader's just bait to get you to swipe your card through their device.

If they were serious about stopping this sort of stuff, they'd do away with dumb plastic cards and start using something more like RSA tokens.

The Europeans have been using "chip-and-pin" (EMV) for years. Visa and MasterCard have told American retailers to get on board with EMV by October 2015 (except for "pay and pump", which has to accept EMV by 2017) as they will no longer cover fraudulent charges with mag stripe transactions.

I work at a large National Financial Institution in the financial crimes division, for debit transactons, where the mag stripe is read, they have already stopped allowing merchant chargebacks as of 4/20.......so if your bank doesn't want to cover mag stripe read signature based transactions. then the liability is on you......good luck with that

azpenguin:We just pay inside. Takes one extra minute and we usually want something cold to drink anyway, especially in the summer months.

Not to mention some folks can't swing the initial $125 hold you get for swiping the card at the pump. Pay inside and it's only going to be the $35 you requested, plus a carton of smokes, two bottles of soda, a XXL fountain drink and half a dozen items from the roller grill.... for $95 or so...

Saberus Terras:azpenguin: We just pay inside. Takes one extra minute and we usually want something cold to drink anyway, especially in the summer months.

Not to mention some folks can't swing the initial $125 hold you get for swiping the card at the pump. Pay inside and it's only going to be the $35 you requested, plus a carton of smokes, two bottles of soda, a XXL fountain drink and half a dozen items from the roller grill.... for $95 or so...

don't forget to grab a box of those 'fresh' week old krispy kreme donuts... and a pack of magnum xl condoms (to impress the cute checkout girl)... and some of those hot new scratch off lottery tickets (I'm feeling lucky)...

Sofa King Smart:don't forget to grab a box of those 'fresh' week old krispy kreme donuts... and a pack of magnum xl condoms (to impress the cute checkout girl)... and some of those hot new scratch off lottery tickets (I'm feeling lucky)...

They're always out of the donuts when I get there, the XL's are too small (and she can see my kielbasa through my jeans, first time I was there she fainted), and I rarely feel like playing lotto, I'd be stealing money from the poor folks who play religiously.